Cyberespionage and the New Hacktivism
- April 30, 2021
- Clayton Rice, K.C.
Cyberespionage is the act of obtaining information from individuals, governments and private-sector entities without permission for political or military advantage. In the cyber universe espionage involves access to computers or networks for a strategic gain. It is distinct from cyber threats motivated by theft or fraud. A hacker is someone who exploits weaknesses in a computer system or network and may be motivated by a variety of reasons including profit, ransom or evaluation of system defences. At a time when government agencies and corporations are being targeted by increasingly sophisticated hackers an old threat is re-emerging – activist hackers looking to score political points.
1. The SolarWinds Hack
On December 14, 2020, the commercial software developer SolarWinds announced that its network management software, Orion, had been targeted by an cyberespionage operation that I discussed in a previous post to On The Wire. (here) The hackers inserted malicious code into Orion software updates rolled out to nearly 18,000 customers. The early reports confirmed that the scope of the breach included the U.S. Treasury Department and the Department of Commerce. During the ensuing days, the breadth of the months-long cyberespionage operation continued to unfold that included the Department of Homeland Security and hundreds of private sector companies.
On April 15, 2021, the United States government released a statement identifying Russia’s foreign intelligence service (SVR) as responsible. (here) Although the government had previously said Russia was behind the sprawling hack, the announcement by the White House was the first formal statement tagging Russia as the responsible actor. While some national security experts see the SolarWinds breach as a traditional form of espionage, the Treasury Department identified the “scope and scale” of the compromise as a national security concern. In solidarity with the United States, Josep Borrell, the High Representative of the European Union and former President of the European Parliament, expressed alarm over the increase in activities affecting communication technology products that may have “systemic effects” compromising “society, security and economy.” (here)
It was Microsoft’s code, however, that was exploited by the cyberspies as they romped undetected among networks and rifled through emails and files of high profile targets such as Homeland Security chief, Chad Wolf. Microsoft has now offered all U.S. federal agencies a year of advanced security features. In a recent article titled SolarWinds hacking campaign puts Microsoft in the hot seat, cybersecurity journalist Frank Bajack discussed a report by the nonpartisan Atlantic Council that described the hackers’ abuse of Microsoft’s identity and access architecture as “a widespread intelligence coup”. (here) What, then, is cyberespionage and what is the vocabulary that describes how it differs from other kinds of hacking?
The Tallinn Manual (2013), published following the NATO Cooperative Cyber Defense Center of Excellence conference in Tallin, Estonia, defines cyberespionage as “an act undertaken clandestinely or under false pretences that uses cyber capabilities to gather (or attempt to gather) information with the intention of communicating it to the opposing party.” (here) The United States, Russia and China are generally considered to be the most advanced cyberspies. The United States has incorporated cyberwarfare into its war doctrine and is devoting increased funding to securing vulnerable infrastructure such as electricity, oil and gas systems. The People’s Liberation Army of China has been reported as possessing malware capable of taking down electricity or water grids. And Russia is deploying its cyber capabilities more aggressively than just looking for secrets.
The core tenet of cyberespionage is secrecy. Cyberspies want to get in and get out – undetected. The object is to view classified material, not steal it. Cyberespionage attacks therefore tend to be subtle. The goal is frequently to acquire government secrets or intellectual property. (here) Although attacks may be deployed in conjunction with military operations, it is important to emphasize that cyberespionage and cyberwarfare are not the same thing. The primary goal of cyberespionage is to remain hidden for as long as possible in order to collect intelligence; whereas the primary object of cyberwarfare is to disrupt the activities of a nation state. (here) Jarno Limnell, Director of Cybersecurity at Stonesoft Corporation, a network security developer based in Helsinki, Finland, has emphasized the importance of avoiding “cyberwar rhetoric” as it “easily feeds an atmosphere of fear” and may lead to “an intensified arms race.” (here)
Cyberespionage has been considered both a threat and a motive in the “cybersecurity playbook”. In a report titled Cyberespionage: ENISA Threat Landsacpe (2019) the European Union Agency for Cybersecurity defined cyberespionage as “the use of computer networks to gain illicit access to confidential information, typically that held by a government or other organization.” (here) The report found that global organizations consider cyberespionage a growing threat affecting industrial sectors as well as critical and strategic infrastructures. Potential targets include government ministries, railways, telecommunication providers, energy companies, hospitals and banks. The focus of cyberespionage, then, is on driving geopolitics.
3. The Till Kottmann Indictment
On March 18, 2021, the prolific Swiss hacker, Till Kottmann, was indicted by a grand jury in the United States District Court for the Western District of Washington, at Seattle, for conspiracy to access computers without authorization and identity and data theft. (here) The indictment alleges that Kottmann (also called “deletes cape” and “tilllie crimew”) targeted “git” and other source code repositories belonging to private companies and public sector entities. Kottmann cloned the source code, files, and other confidential and proprietary information, including hard-coded administrative credentials, access keys, and other means of further system or network access. Kottmann then used such means of access to further infiltrate the internal infrastructure of the targets and copy additional files, records and information. The data was then published or leaked.
The indictment covers the time frame of November 2019 to March 2021 and asserts that, on October 21, 2020, Kottmann tweeted from the @antiproprietary Twitter account that “stealing and releasing” corporate data and “using up corporate resources,” including “by means of ransom,” was “the morally correct thing to do.” The indictment alleges that Kottmann hacked dozens of companies and government agencies, and purportedly published files and records of more than 100 entities for public download, while obtaining financial benefit by designing and selling clothing and paraphernalia related to “computer hacking and anti-intellectual-property ideology.” In a press release by the Department of Justice, Acting U.S. Attorney Tessa M. Gorman said: “Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.” (here)
On March 8, 2021, Kottmann had acquired notoriety when the group gained access to the Verkada network, a cloud-based security camera company, for thirty-six hours. The hackers collected about 5 gigabytes of data including camera footage and recordings from more than 150,000 cameras in locations such as a Tesla factory, a jail in Alabama, a Halifax hospital and residential properties. The group also accessed Verkada’s financial data and the corporate networks of Cloudfare and Okta. During the hack, Koffmann tweeted: “What if we just absolutely ended surveillance capitalism in two days?” They told Bloomberg their reasons for hacking were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it.” (here)
4. The New Hacktivism
In an article titled New wave of ‘hacktivism’ adds twist to cybersecurity woes, Joseph Menn, an investigative security reporter for Reuters, identified a different kind of cyber threat that is re-emerging – activist hackers looking to make a political point. (here) Mr. Menn discussed three major hacks that display the power of this new wave: (1) the exposure of AI-driven video surveillance that was conducted by Verkada; (2) a collection of videos of the U.S. Capitol riot on January 6, 2021, from the “right-wing social network Parler”; and, (3) disclosure of the Myanmar military junta’s “high-tech surveillance apparatus.” The Kottmann indictment, Mr. Mann said, shows that “officials regard the return of hacktivism with alarm.”
Earlier waves of hacktivism, such as the amorphous collective known as Anonymous, have largely faded away under pressure from law enforcement. But a new generation of hackers is on the rise which is angry about the dissemination of propaganda by tech companies. According to Mr. Menn, some former members of Anonymous are returning to the political fray, including Aubrey Cottle, who helped to revive the group’s social media presence in support of the Black Lives Matter movement. “This move by the U.S. government is clearly not only an attempt to disrupt freedom of information,” Kottmann told Reuters, “but also primarily to intimidate and silence this newly emerging wave of hacktivists and leaktivists.”
Many cyberespionage breaches begin with phishing campaigns or theft of credentials which are then used to infiltrate targeted systems. The SolarWinds supply-chain hack appears to be a classic cyberespionage operation in that the initial disclosure of the breach by SolarWinds came five days after cybersecurity incident response firm, FireEye, announced it had sustained an intrusion that resulted in the theft of approximately 300 proprietary software tools that the company provides to clients to help secure their IT operations. The point I am making here is that cyberespionage involves the use of computers or digital communications to access information about an adversary for the purpose of gaining an advantage. The theft preceding the SolarWinds hack was committed in order to access targeted systems. Theft does not appear to have been the objective once access was gained.
The Koffmann indictment, however, specifically alleges that the “objects” of the conspiracy included “stealing confidential and proprietary files” and the information stored on them. The allegation of theft therefore takes the Koffmann case outside the domain of cyberespionage. The indictment spotlights the distinction between hackers and crackers. Hackers (SolarWinds) access computer systems to acquire information. Crackers (Koffmann) hack systems to do damage such as steal data or cause disruption. (here) And the claim of morally grounded hacktivism by Koffmann adds an additional layer of analytical complication. Hacktivism is a controversial term rooted in hacker culture that has been associated with civil disobedience. The word ‘hacktivism’ has often been used to describe direct action in furtherance of social change. Till Kottmann’s anti-capitalist and anti-intellectual-property philosophy has now brought them to the place where conflict between conscience and the collective must inevitably lead – to a courtroom.